1. Security Guide
  2. Business Operations Center Security

11 Business Operations Center Security

Learn how to install and implement Oracle Communications Business Operations Center and its components in a secure configuration.

Topics in this document:

About Installing Business Operations Center

Before installing Business Operations Center, you must properly install and configure several Oracle products, including Java, Oracle WebLogic Server, Oracle Identity and Access Management components, and Oracle Communications Billing and Revenue Management.

For installation instructions, including all the required products and related tasks, such as setting up KeyStores and SSL for WebLogic Server, see "Installing Business Operations Center" in Business Operations Center Installation Guide.

About Implementing Business Operations Center Security

Business Operations Center supports stringent authorization and authentication requirements. This section describes how to implement the security capabilities supported by Business Operations Center.

About Identity and Access Management

To authenticate users when they log in and to control user access to functionality, Business Operations Center uses the following Oracle Identity and Access Management components in a production environment:

  • Oracle Identity Cloud Service (IDCS)

  • Oracle Identity Manager for authentication

  • Oracle Platform Security Services (OPSS) for authorization

These components are required in a Business Operations Center implementation.

For more information, see the following documentation:

  • Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager

  • Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services

About Authentication

Authentication is the process of verifying the identity of a user. The Business Operations Center authentication scheme is designed for deployments in which a central user identity repository, storing all enterprise users, authenticates Business Operations Center sign-in requests.

Business Operations Center supports the following security for authentication:

  • Authenticating users against an LDAP-based user ID repository

  • Enabling single-sign-on capabilities

  • Supporting user's password policies

Oracle Identity Manager manages user password policies. For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

About Authorization

Authorization is the process of granting users access to privileges (entitlements) appropriate for their job functions while denying access to other functionality. Oracle Platform Security Services handles all authorization tasks for Business Operations Center.

A user who has not been granted any entitlements in Oracle Platform Security Services is denied access to Business Operations Center.

To grant entitlements, you use authorization policies, which contain a collection of the following components combined to form a logical entitlement:

  • Resource type: Specifies the full scope of traits for a resource, such as job execution history, and defines all actions that can be performed on the resource.

  • Resource: Represents the aspect of an application's functionality being secured, such as billing, payment collection, and invoicing. Each resource must belong to a resource type.

  • Action: Represents an operation that can be performed on a resource, such as view, create, modify, delete, history, and timeline.

You map authorization policies to enterprise (external) roles, which represent job functions for the users in your company. If you do not map enterprise roles to authorization policies, you must map each user to an authorization policy.

For more information about authorization policies and enterprise roles, see Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services.

Business Operations Center includes an authorization policy component file (system-jazn-data.xml), which defines all the resource types, resources, and actions available for Business Operations Center authorization policies (see Table 11-1).

Table 11-1 Business Operations Center Authorization Policy Components

Resource Type Resource Action Description

Metrics

Subscribers

View

Permits users to view subscriber metrics.

Metrics

Subscriptions

View

Permits users to view subscription metrics.

Metrics

Billed Revenue

View

Permits users to view billed-revenue metrics.

Metrics

Payments Received

View

Permits users to view payments-received metrics.

Metrics

AR

View

Permits users to view accounts receivable in the dashboard.

Job

Billing

GL

Invoicing

PaymentCollection

PricingSync

Refund

Workflow

Create

View

Modify

Delete

Timeline

History

Create: You can create a new job.

View: You can view job categories and the jobs for this category.

Modify: You can edit a job, deactivate or reactivate jobs.

Delete: You can delete jobs.

Timeline: You can view the timeline.

History: You can view jobs in history.

PaymentFailures PaymentFailures

View

Resolve

View: You can view realtime checkpoints, unresolved batches and unresolved payments, and failure report for Payment Collections jobs.

Resolve: You can resolve unresolved payments.

BlackoutPeriod BlackoutPeriod

View

Create

Delete

View: You can view the blackout period in the timeline.

Create: You can create the blackout period in the timeline.

Delete: You can remove the blackout period in the timeline.

Job Custom

Create

View

Modify

Delete

Create: You can create custom categories in Business Operations Center.

View: You can only view custom categories in Business Operations Center.

Job

VirtualTime

View

Modify

View: You can view the modified pin virtual time in the Manage Virtual Time banner.

Modify: You can change the pin virtual time and date from the jobs actions menu or manage the virtual time banner.

Any

Any

Any

Permits users to perform all operations.
Job

category_customcategory1_resource

Where:

  • category is a prefix you should add for each resource name.

  • customcategory1 is the name of the resource of the custom category entered when you create a new category.

  • resource is the suffix that you should add to the resource name.

For example, category_custom_billing_resource

For information about creating a resource name, see "Defining a Custom Category" in Business Operations Center Online Help.

Create

View

Modify

Delete

Timeline

History

Create: You can create a new job.

View: You can view job categories and the jobs for this category.

Modify: You can edit a job, deactivate or reactivate jobs.

Delete: You can delete jobs.

Timeline: You can view the timeline.

History: You can view jobs in history.

The system-jazn-data.xml file also includes the following sample authorization policies:

  • OperationsAdminPolicy

  • FinancialsAdminPolicy

  • FullAdminPolicy

The file is located in the Domain_home/lib/oes_config directory, where Domain_home is the WebLogic Server domain home directory location of the Oracle Platform Security Services client domain in which Business Operations Center is deployed.

Note:

Do not change the system-jazn-data.xml file.

Creating Authorization Policies for Business Operations Center

To create authorization policies for Business Operations Center:

  1. Import the Business Operations Center authorization policy component file:

    Domain_home/lib/oes_config/system-jazn-data.xml

    For detailed instructions, see "Importing the Business Operations Center Operations Security Policies into OPSS" in Business Operations Center Installation Guide.

  2. In Oracle Platform Security Services (OPSS), map an authorization policy to one or more resources, which may have one or more actions.

    For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services.

  3. Associate the authorization policy with a user or an enterprise role.

    For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services.

  4. Redeploy all changes made in OPSS.

Figure 11-1 shows how authorization policies are mapped to resources and enterprise roles or users:

Figure 11-1 Mapping Authorization Policies to Resources and Enterprise Roles or Users

Description of Figure 11-1 follows
Description of "Figure 11-1 Mapping Authorization Policies to Resources and Enterprise Roles or Users"

Storing Business Operations Center Passwords in Oracle Wallet

By default, the Business Operations Center Installer stores sensitive information such as passwords in the Oracle wallet and the Business Operations Center application retrieves the passwords from the Oracle wallet. However, if the passwords are also stored in the configuration files, the Business Operations Center application retrieves the passwords from the configuration files. The Business Operations Center application automatically decrypts the encrypted passwords when retrieving them from the configuration files.

By default, the passwords in the configuration files are encrypted in the Oracle ZT PKI format. For more information, see "Encrypting Data" in BRM Developer's Guide.

Note:

To encrypt passwords that are associated with customizations, use the pin_crypt_app utility. For details, see "About Encrypting Passwords" in BRM Developer's Guide.

Storing Configuration Entries in the Business Operations Center Wallet

To store a configuration entry for the Business Operations Center wallet:

  1. Go to the BOC_home/wallet/client directory, where BOC_home is the directory in which Business Operations Center is installed.

  2. Do one of the following:

    • On Linux, run the following command:

      java -cp '.:oraclepki.jar_location:osdt_cert.jar_location:osdt_core.jar_location:cet.jar_location' com.portal.cet.ConfigEditor -setconf -wallet clientWalletLocation -parameter configEntry -value value

      where:

      • oraclepki.jar_location is the path to the oraclepki.jar file, which contains the APIs that are required for the wallet. The oraclepki.jar file is stored in the BOC_home/lib directory.

      • osdt_cert.jar_location is the path to the osdt_cert.jar file, which contains the JARs that are used by the JAVA PCM library for establishing a TLS connection to BRM. The osdt_cert.jar file is stored in the BOC_home/lib directory.

      • osdt_core.jar_location is the path to the osdt_core.jar file, which contains the JARs that are used by the JAVA PCM library for establishing a TLS connection to BRM. The osdt_core.jar file is stored in the BOC_home/lib directory.

      • cet.jar_location is the path to the cet.jar file, which contains the APIs that are required for the wallet. The cet.jar is stored in the BOC_home/lib directory.

      • clientWalletLocation is the path to the Business Operations Center wallet.

      • configEntry is the configuration entry in the Business Operations Center wallet.

      • value is the appropriate value for the respective entry in the Business Operations Center wallet.

      For example, running the following command with the -value parameter stores the infranet.log.level as 1 in the Business Operations Center wallet. If the value exists in the wallet, it will be overwritten: 

      java -cp '.:oraclepki.jar:osdt_cert.jar:osdt_core.jar:cet.jar:' com.portal.cet.ConfigEditor  -setconf -wallet "/scratch/pin11/wallet" -parameter infranet.log.level -value 1

      If you run the command without the -value parameter, it prompts for the values for the infranet.connection entries and stores them in the Business Operations Center wallet. At the command prompt, enter values listed in Table 11-2.

      Table 11-2 BRM Connection Information

      Field Description

      User Name

      The user name for connecting to BRM.

      Password

      The BRM user's password.

      Host Name

      The IP address or the host name of the machine on which the primary BRM Connection Manager (CM) or CM Master Process (CMMP) are running.

      Port Number

      The TCP port number of the CM or CMMP on the host computer.

      Service Type

      The BRM service type.

      Service POID Id

      The POID of the BRM service.

    • On Windows, run the following command:

      java -cp ".;oraclepki.jar_location:osdt_cert.jar_location:osdt_core.jar_location:cet.jar_location" com.portal.cet.ConfigEditor -setconf -wallet clientWalletLocation -parameter configEntry -value value

      For example, running the following command with the -value parameter stores the infranet.log.level as 1 in the Business Operations Center wallet: 

      java -cp ".;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\oraclepki.jar;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\osdt_cert.jar;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\osdt_core.jar;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\cet.jar" com.portal.cet.ConfigEditor  -setconf -wallet "C:\Program Files (x86)\Portal Software\BOC_HOME\wallet\client" -parameter infranet.log.level -value 1

      If you run the command without the -value parameter, it prompts for the values for the infranet.connection entries and stores them in the Business Operations Center wallet. At the command prompt, enter values listed in Table 11-2.

  3. Enter the Business Operations Center client wallet password.

    The value is stored in the Business Operations Center wallet.

For retrieving stored configuration entries, see "About Oracle Wallet" in BRM System Administrator's Guide.